My Pentest Log -19 — (A Little Tip in Burp Suite)
Greetings everyone from Porta Saint Jean de Cornibus,
Today, I would like to talk about the solution of an error I encountered in the burp suite software while I was performing dynamic side tests in mobile security tests.
Problem : “Attempting to auto-select SSL parameters”
1. We were informed by our project manager that the security tests for the X mobile application of the “private” company would be done by me.
2. First, I validated the scope form, performed the application setups, and started the static and dynamic tests.
3. However, during dynamic tests, I noticed that some of the traffic of the application was not displayed.
4. In such cases, I prefer to first start to examine what errors are received from the “alerts” tab, which is a nice feature of the burp suite.
5. When I go to the Alerts tab, I noticed that “Attempting to auto-select SSL parameters” warning. So why might that have happened?
As I am in love with the 1.7.37 version, I have encountered this warning in certain applications before, but I have always been able to solve this problem with the logic of close-open. Unfortunately, the 1.7.37 version has some unique errors that I cannot understand, and unfortunately there are not enough solutions for such problems or I cannot find them.
Anyway, back to our topic, when I retested this error that I encountered in the “alerts” tab by installing the latest version of burp suite, I realized that the application traffic was easily displayed.
At this point, I thought that I should make a few changes on the 1.7.37 version, but the solutions I applied were not enough to solve the problem, finally I did various research on google and came across the twitter post opened by “Jhaddix” — https://twitter.com/jhaddix/status/1133091329938841601?lang=en
I read the comments under this title one by one and noticed the comment of “Ryan Preston” among them.
I went back to the burp suite screen directly and turned the “Disable Java SNI extension” heading to disabled mode from the “Java SSL Options” options under the “SSL” title in the “User Options” tab, closed the burp suite software and then opened it again and I found that the requests are fully viewable and not receiving any alerts. (I applied this setting before, but it didn’t work because I disabled the “Enable algorithms blocked by java security policy” header. :) )
6. I solved this problem at the end of the day with Ryan Preston’s solution suggestion and I progressed my dynamic sided tests comfortably. (Merci Ryan)
In summary:
The problems you encounter may sometimes be in our test tools, in such cases, you can investigate the related problem by reading the comments of the people in the community.
